From 42cf1897495524ae85b428381b1a0f078b62e403 Mon Sep 17 00:00:00 2001 From: hailin Date: Sun, 1 Feb 2026 21:35:00 -0800 Subject: [PATCH] =?UTF-8?q?feat(api-gateway):=20=E6=B7=BB=E5=8A=A0=20mapi.?= =?UTF-8?q?szaiai.com=20nginx+SSL=20=E9=85=8D=E7=BD=AE=E5=92=8C=20deploy.s?= =?UTF-8?q?h=20nginx=20=E5=AD=90=E5=91=BD=E4=BB=A4?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - 新增 nginx/mapi.szaiai.com.conf: 与 rwaapi.szaiai.com 同构的 SSL 反代配置 - deploy.sh 新增 nginx install/ssl 子命令,支持一键安装 nginx+证书 - 用法: sudo ./deploy.sh nginx install mapi.szaiai.com Co-Authored-By: Claude Opus 4.5 --- backend/api-gateway/deploy.sh | 140 ++++++++++++++++++ .../api-gateway/nginx/mapi.szaiai.com.conf | 99 +++++++++++++ 2 files changed, 239 insertions(+) create mode 100644 backend/api-gateway/nginx/mapi.szaiai.com.conf diff --git a/backend/api-gateway/deploy.sh b/backend/api-gateway/deploy.sh index fe2bc9f5..f0168c53 100755 --- a/backend/api-gateway/deploy.sh +++ b/backend/api-gateway/deploy.sh @@ -268,6 +268,127 @@ cmd_metrics() { fi } +# 安装 Nginx + SSL 证书 (新域名) +cmd_nginx_install() { + local domain="${1:-mapi.szaiai.com}" + local email="${2:-admin@szaiai.com}" + local conf_file="$SCRIPT_DIR/nginx/${domain}.conf" + + log_info "为域名 $domain 安装 Nginx + SSL..." + + # 检查 conf 文件是否存在 + if [ ! -f "$conf_file" ]; then + log_error "Nginx 配置文件不存在: $conf_file" + log_error "请先在 nginx/ 目录下创建 ${domain}.conf" + exit 1 + fi + + # 检查 root 权限 + if [ "$EUID" -ne 0 ]; then + log_error "需要 root 权限: sudo ./deploy.sh nginx install $domain" + exit 1 + fi + + # 1. 安装依赖 + log_info "[1/4] 检查并安装依赖..." + if ! command -v nginx &> /dev/null; then + apt update && apt install -y nginx + systemctl enable nginx + systemctl start nginx + fi + log_success "Nginx 已就绪" + + if ! command -v certbot &> /dev/null; then + apt install -y certbot python3-certbot-nginx + fi + log_success "Certbot 已就绪" + + # 2. 部署 HTTP 临时配置 + log_info "[2/4] 部署 HTTP 临时配置..." + mkdir -p /var/www/certbot + + cat > /etc/nginx/sites-available/$domain << HTTPEOF +server { + listen 80; + listen [::]:80; + server_name $domain; + + location /.well-known/acme-challenge/ { + root /var/www/certbot; + } + + location / { + proxy_pass http://127.0.0.1:8000; + proxy_http_version 1.1; + proxy_set_header Host \$host; + proxy_set_header X-Real-IP \$remote_addr; + proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto \$scheme; + } +} +HTTPEOF + + ln -sf /etc/nginx/sites-available/$domain /etc/nginx/sites-enabled/ + nginx -t && systemctl reload nginx + log_success "HTTP 配置完成" + + # 3. 申请 SSL 证书 + log_info "[3/4] 申请 SSL 证书..." + if [ -d "/etc/letsencrypt/live/$domain" ]; then + log_warn "证书已存在,跳过申请" + else + echo "" + log_warn "请确保 DNS A 记录 $domain 已指向本服务器 IP" + read -p "继续申请证书? (y/n): " confirm + if [ "$confirm" != "y" ] && [ "$confirm" != "Y" ]; then + log_info "已跳过,当前为 HTTP 模式。稍后运行: sudo ./deploy.sh nginx ssl $domain" + return 0 + fi + certbot certonly --webroot --webroot-path=/var/www/certbot \ + --email $email --agree-tos --no-eff-email -d $domain + fi + log_success "SSL 证书就绪" + + # 4. 部署 HTTPS 完整配置 + log_info "[4/4] 部署 HTTPS 配置..." + cp "$conf_file" /etc/nginx/sites-available/$domain + nginx -t && systemctl reload nginx + + log_success "$domain 配置完成!" + echo "" + echo -e " 访问地址: ${BLUE}https://$domain${NC}" + echo -e " 查看日志: tail -f /var/log/nginx/${domain}.access.log" + echo "" +} + +# 仅申请/续期 SSL 证书 +cmd_nginx_ssl() { + local domain="${1:-mapi.szaiai.com}" + local email="${2:-admin@szaiai.com}" + local conf_file="$SCRIPT_DIR/nginx/${domain}.conf" + + if [ "$EUID" -ne 0 ]; then + log_error "需要 root 权限: sudo ./deploy.sh nginx ssl $domain" + exit 1 + fi + + if [ -d "/etc/letsencrypt/live/$domain" ]; then + log_info "证书已存在,尝试续期..." + certbot renew --cert-name $domain + else + log_info "为 $domain 申请 SSL 证书..." + certbot certonly --webroot --webroot-path=/var/www/certbot \ + --email $email --agree-tos --no-eff-email -d $domain + fi + + # 部署 HTTPS 配置 + if [ -f "$conf_file" ]; then + cp "$conf_file" /etc/nginx/sites-available/$domain + nginx -t && systemctl reload nginx + log_success "HTTPS 配置已部署" + fi +} + # 显示帮助 show_help() { echo "" @@ -289,6 +410,10 @@ show_help() { echo " test 测试 API 路由" echo " clean 清理容器和数据" echo "" + echo "Nginx 命令:" + echo " nginx install [domain] 安装 Nginx + SSL 证书 (默认: mapi.szaiai.com)" + echo " nginx ssl [domain] 申请/续期 SSL 证书" + echo "" echo "监控命令:" echo " monitoring install [domain] 一键安装监控 (Nginx+SSL+服务)" echo " monitoring up 启动监控栈" @@ -343,6 +468,21 @@ main() { clean) cmd_clean ;; + nginx) + case "${2:-install}" in + install) + cmd_nginx_install "$3" "$4" + ;; + ssl) + cmd_nginx_ssl "$3" "$4" + ;; + *) + log_error "未知 nginx 命令: $2" + echo "用法: ./deploy.sh nginx [install|ssl] [domain]" + exit 1 + ;; + esac + ;; monitoring) case "${2:-up}" in install) diff --git a/backend/api-gateway/nginx/mapi.szaiai.com.conf b/backend/api-gateway/nginx/mapi.szaiai.com.conf new file mode 100644 index 00000000..9d1b9f95 --- /dev/null +++ b/backend/api-gateway/nginx/mapi.szaiai.com.conf @@ -0,0 +1,99 @@ +# RWADurian Mining Admin API Gateway Nginx 配置 +# 域名: mapi.szaiai.com +# 后端: Kong API Gateway (端口 8000) +# 放置路径: /etc/nginx/sites-available/mapi.szaiai.com +# 启用: ln -s /etc/nginx/sites-available/mapi.szaiai.com /etc/nginx/sites-enabled/ + +# HTTP 重定向到 HTTPS +server { + listen 80; + listen [::]:80; + server_name mapi.szaiai.com; + + # Let's Encrypt 验证目录 + location /.well-known/acme-challenge/ { + root /var/www/certbot; + } + + # 重定向到 HTTPS + location / { + return 301 https://$host$request_uri; + } +} + +# HTTPS 配置 +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name mapi.szaiai.com; + + # SSL 证书 (Let's Encrypt) + ssl_certificate /etc/letsencrypt/live/mapi.szaiai.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/mapi.szaiai.com/privkey.pem; + + # SSL 配置优化 + ssl_session_timeout 1d; + ssl_session_cache shared:SSL:50m; + ssl_session_tickets off; + + # 现代加密套件 + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + + # HSTS + add_header Strict-Transport-Security "max-age=63072000" always; + + # 日志 + access_log /var/log/nginx/mapi.szaiai.com.access.log; + error_log /var/log/nginx/mapi.szaiai.com.error.log; + + # Gzip 压缩 + gzip on; + gzip_vary on; + gzip_proxied any; + gzip_comp_level 6; + gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml; + + # 安全头 + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + + # 客户端请求大小限制 (500MB 用于 APK/IPA 上传) + client_max_body_size 500M; + + # 反向代理到 Kong API Gateway + location / { + proxy_pass http://127.0.0.1:8000; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection 'upgrade'; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_cache_bypass $http_upgrade; + + # 超时设置 (适配大文件上传) + proxy_connect_timeout 60s; + proxy_send_timeout 300s; + proxy_read_timeout 300s; + + # 缓冲设置 + proxy_buffering on; + proxy_buffer_size 128k; + proxy_buffers 4 256k; + proxy_busy_buffers_size 256k; + } + + # 健康检查端点 (直接返回) + location = /health { + access_log off; + return 200 '{"status":"ok","service":"mapi-nginx"}'; + add_header Content-Type application/json; + } +}